New program helps meet HIPAA security rules
New program helps meet HIPAA security rules
Encryption technology maintains confidentiality
While the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has the primary goal of making health insurance portable for thousands of Americans, the act also mandates new security standards and electronic data interchange (EDI) requirements. These requirements, to say the least, are having far-reaching effects on the entire health care industry, including the professionals who manage occupational health clinics.
A new program developed by Dallas-based ZixIt Corporation, called ZixMail, is designed to help ensure compliance with those security regulations. The product, introduced at several beta sites last year, was just formally launched this spring.
"In addition to meeting confidentiality requirements, it is important for us to facilitate efficiencies for cost savings that the increased use of technology affords," notes Pat Feyen, director of sales in ZixIt’s health care division. "We are behind the curve compared to many other industries. In addition to developing standards to protect security, confidentiality, and integrity of private information, this was one of the goals of HIPAA," he explains.
HIPAA’s security standards address administrative procedures, physical safeguards of information in computer systems, technical security, and technical security mechanisms, notes Feyen, who served as president and CEO for the Texas and Oklahoma region of PacifiCare Health before joining ZixIt. "There have to be policies and procedures in place within the affected entity," he explains. "They have to be approved by the security committee, people must be in place who are accountable for compliance, and you have to track access to individually identifiable health information’ to desktops and to the database. If there is a way a reader can identify me with related health data, they have to be protected."
Encryption required
Once this information is moved electronically over the Internet, HIPAA requires the information to be encrypted, notes Feyen. "That’s the part of the process we bring value to." The strength of encryption in ZixMail will meet and exceed HIPAA standards and requirements, says Feyen. "Its other aspects as a business tool make it more efficient."
Here’s how it works: The program is installed on a desktop computer, which takes between six to eight minutes. "It can be downloaded from our web site (www.zixit.com); if the client is a large company, we can work with the system administrator to push it to each computer," Feyen explains.
The users then create a password, and if they are using Microsoft Outlook or the Lotus Notes e-mail programs, nothing else changes. "ZixMail is integrated with those programs," Feyen says. "You simply create an e-mail, grab all the attachments you need, as usual. Then, instead of clicking the send’ button, you click a red Z’ button, type in your pass phrase, and then hit send.’"
What happens then is a bit more complicated. In the world of encryption, there are both public and private keys. ZixIt stores and manages all of the public keys on its worldwide signature server in Dallas. "So, when I send you an e-mail and hit the red Z,’ the message goes to the server, which grabs the recipient’s public key and encrypts the message and attachments so they can be sent point to point," Feyen explains.
The private key is inherent in the software when it’s downloaded. "The only thing that will open the file is your matching private key," says Feyen. "That triggers the decryption of the message."
Unlike earlier encryption programs, ZixMail can be used by individuals who have not downloaded the program themselves, Feyen observes. "You can send your information to anyone. If the receiver has not installed ZixMail, the system knows that. Since the recipient does not have a public key, we use the worldwide signature public key, send it to the sender’s desktop, encrypt the message, then send it back to the server and store it for anywhere from one to 21 days. The receiver is notified that he has a secure message waiting for him," he adds. "He opens it, clicks on the hyperlink, and through our secured connection, it will go to the server and he can read or cut and paste and download the attachment. All of this happens instantaneously."
In this manner, says Feyen, the sender complies with HIPAA regulations by securing the message. The reply is encrypted as well. "But you can’t initiate a new message unless you have installed ZixMail," he adds.
Addressing challenges
There are no universal standards when it comes to encryption technology, says Feyen, which causes some difficult challenges. "A lot of products are exclusive — that is, you can’t talk to another institution if it is not using the same program you are. We’ve addressed the issues of interoperability and compatibility."
ZixMail also provides a certified receipt. "When I send you a message, I can check a box that says I want certified receipts notifying me of the exact time and date that you opened the message. I get a note back with that information. This is important, because there are time requirements for responding to claims, submitting credentialing information for physicians, and so on." Feyen notes that ZixMail also is quite affordable. "The charge is only $24 per year per e-mail address."
Of course, since ZixIt’s health care initiative with ZixMail was just launched in March, the jury is still out in terms of users. One such user, Paul Porter, security architect for United Health Care in Minnetonka, MN, is pleased with the results so far. "From our standpoint, this one just works," he says, while noting that ZixMail is not yet considered to be an "authorized product" for United Health. "We don’t yet have a formal relationship; we’re still beta testing," Porter explains.
Porter is testing ZixMail in several different groups, including the security group. "There’s a tremendous need for secure messaging." he notes. "There are clearly some tradeoffs one has to take a look at, and that’s why we’re trying to look at several systems. For example, once messages are encrypted, it’s difficult, if not impossible, to discover viruses." But, he adds, in light of HIPAA, encryption is a must. "This company [ZixIt] has done some non-standard things, and we have to wrestle with those issues," he says. "However, the other programs are not as automatic and user-friendly."
[For more information, contact:
• Pat Feyen, Director of Sales, Healthcare Division, ZixIt Corporation, 2711 N. Haskell Ave., Suite 2300 LB36, Dallas, TX 75204-2960. Telephone: (214) 370-2005.
• Paul Porter, United Healthcare, Minnetonka, MN. Telephone: (952) 936-1300.]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.